Your law firm will be breached. The question is whether you’ll know.

Why law firms are targeted

Law firms are attractive targets for several reasons that compound each other. They hold highly sensitive client data, including information that is valuable to competitors, litigants, and state actors. They often have weaker security postures than the financial institutions or corporations they represent. And the attorney-client relationship means that clients share information they would not share with anyone else, confident that it is protected. That confidence is what makes the data valuable.

The FBI has issued repeated warnings specifically about cyber threats to law firms. State-sponsored actors from China, Russia, and other nations have been documented targeting law firms involved in high-value M&A transactions, sanctions-related matters, and litigation against state-linked entities. The motivation is the same across all of them: the firm has information the adversary wants, and the firm is often easier to breach than the client directly.

How breaches actually happen at law firms

Phishing is the most common entry point. An attorney receives an email that appears to come from a client, a court, or a colleague. The email contains a link or an attachment. The attorney clicks it. Credentials are captured or malware is installed. The attacker has access to everything that attorney can access, including the document management system, the billing system, and every client email going back years.

The sophistication of the phishing attempts targeting law firms has increased substantially. Spear phishing attacks reference ongoing matters by name, use the names of real colleagues, and arrive at times that match the attorney’s known schedule. These are researched attacks that exploit the trust relationships legal practice depends on, not the generic fraud attempts most people recognize and delete on sight.

Credential stuffing is the second most common vector. Attorneys use the same email and password combination across personal accounts and professional systems. A breach at an unrelated site exposes credentials that are then tested against the firm’s systems. If multi-factor authentication is not enforced, the attacker is in with no technical sophistication required.

Third-party vendor compromise is increasingly common. E-discovery vendors, document review platforms, practice management software providers, and IT support contractors all have access to firm systems. When one of these vendors is breached, the firm’s data is exposed through the vendor’s access rather than through the firm’s own systems. The 2016 Panama Papers leak was preceded by a long period of unauthorized access that likely involved third-party systems.

What a single compromised credential exposes

In most firm architectures, an attorney’s email credentials provide access to years of client communications, to matter files in the document management system, to billing records, and often to the client portal where clients have uploaded sensitive documents. The access extends to everything the attorney has ever touched, not just what they opened recently.

This is the exposure scope that makes law firm breaches different from most data breaches. A retail company’s customer database contains names and credit card numbers. A law firm’s systems contain privileged communications, unreported financial information, and matter strategy for dozens or hundreds of clients. The value per record is orders of magnitude higher. So is the liability when the breach becomes known. What the attacker actually pulls once they are in is itself documented in our analysis of what a single account compromise actually exposes across modern platforms.

What detection actually looks like

Most law firms discover breaches months after the initial compromise, if at all. The attacker’s goal is persistent, quiet access, not immediate disruption. They read email, download documents, and maintain access for as long as possible before the breach is discovered or they have extracted what they needed.

The firms with the best detection capability are those with endpoint detection and response tools that flag unusual access patterns, log aggregation that allows forensic reconstruction, and regular review of access logs for anomalous behavior. Most small and mid-size firms have none of these. Discovery happens when a client reports that their confidential information appeared somewhere it should not, or when a ransomware actor encrypts the files and announces the breach themselves.

The minimum viable security posture

Multi-factor authentication on every system, without exception. This single control stops credential stuffing and limits the damage from phishing by requiring the attacker to also have physical access to the attorney’s second factor. It is the highest-return security control available. It is also the one most commonly deferred because it creates friction. The friction is the point.

A password manager with unique credentials for every system. The tools lawyers actually need include a password manager as the foundation of every other security practice. Unique credentials mean a breach of one system does not cascade into others.

Encrypted email for client communications that contain privileged information. Standard email is not end-to-end encrypted. Messages pass through servers that can be legally compelled, breached, or monitored. ProtonMail or a S/MIME implementation for the most sensitive client communications reduces the exposure of the channel itself, separate from the exposure of the mailbox.

Third-party vendor review. Before granting any vendor access to firm systems, understand what data they will access, how they secure it, whether they have had documented breaches, and what your contractual recourse is if their breach exposes client data. This is basic due diligence that most firms skip for the sake of contract speed. The same logic applies to the regulatory side, covered in our piece on GDPR compliance for solo lawyers and small firms, where vendor accountability is a documented obligation, not a suggestion.

Frequently asked questions

Are solo practitioners at lower risk?

No. Solo practitioners are often targeted because they have the same valuable client data as larger firms with significantly less security infrastructure. The attacker’s calculus is access per effort, and a solo practitioner with one device and one email account is easier to compromise than a firm with an IT department.

Does attorney-client privilege protect against a breach?

No. Attorney-client privilege is a legal protection that governs disclosure in legal proceedings. It does not prevent a breach from occurring, does not prevent an attacker from reading the communications, and does not provide a legal remedy against the attacker in most practical scenarios. It governs what can be used in court, not what can be stolen.

What is the ethical obligation if the firm is breached?

Rules of Professional Conduct in most US states require attorneys to take reasonable measures to safeguard client information and to notify clients of breaches that may affect their interests. The specific notification requirements vary by state. The trend in bar guidance is toward treating cybersecurity as part of the competence obligation, meaning that a failure to implement reasonable security practices can be a disciplinary matter separate from the notification obligation. The baseline that satisfies most state bar guidance is set out in our pillar on digital security for law firms in 2026.

Should we tell clients about a near-miss?

Generally no, if the near-miss did not result in unauthorised access to client data. A blocked phishing attempt, a quarantined malware sample, or a credential compromise that triggered MFA without further movement does not trigger notification obligations in any current US or EU framework. The internal lesson is to log it, fix the gap, and run a tabletop on what would have happened if the next layer had also failed. Disclose to clients only when their data was actually exposed or when contract terms require it.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.